Breaking and Fixing Destructive Code Read Defenses

TL;DR

This paper reveals that destructive code reads (DCR) can be bypassed even with high-entropy code randomization and introduces BGDX, a new byte-granular memory protection technique combining DCR and execute-only memory to defend legacy binaries effectively.

Contribution

The paper demonstrates the vulnerability of DCR against code inference attacks and introduces BGDX, a novel, efficient mitigation method that combines DCR and XOM for legacy binaries.

Findings

DCR can be bypassed regardless of code randomization.

BGDX effectively protects legacy binaries against code inference.

BGDX incurs only 3.95% performance overhead on SPEC benchmarks.

Abstract

Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common belief is that DCR provides strong protection if combined with a high-entropy code randomization. The contribution of this paper is twofold: first, we demonstrate that DCR can be bypassed regardless of the underlying code randomization scheme. To this end, we show novel, generic attacks that infer the code layout for highly randomized program code. Second, we present the design and implementation of BGDX (Byte-Granular DCR and XOM), a novel mitigation technique that protects legacy binaries against code inference attacks. BGDX enforces memory permissions on a byte-granular level allowing us to combine DCR and XOM for legacy, off-the-shelf binaries. Our evaluation shows that BGDX is not only effective, but highly efficient, imposing only a geometric mean performance overhead of 3.95% on SPEC.